[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] wrote:
> Opinions - not on what happens to day in 1.3 but what should > happen in a > perfect world: > > Given a config like this: > > <Directory /my/secrets> > AuthType basic > AuthName Restricted area > </Directory> > > What should happen ? Allowed in with, or without a password ? > What would users feel as most logical ? They want it to be open probably, unless you got security savvy types, they want it closed. In order words: Default Policy Closed If it doesn't serve content people will notice, people will complain, people will fix. If it by default serves content, it could be content that people didn't want to serve at all. > > Then > <Directory /my/secrets> > AuthType basic > AuthName Restricted area > <Limit POST> > require valid-user > </Limit> > </Directory> > > Same here when using a GET. (Note - I've not even started with 'allow > from' or 'satisfy any complexity). Maybe introduce a "LimitPolicy Deny" But we got "Order deny,allow" for that. If we take into consideration that "Order" defaults to "deny,allow" one would end up: - Allowing POST to valid-user. - Denying anything else. Greets, Jeroen
